You can set up Threat Defender to restrict access to certain websites for a certain time.

This example shows how to use the following concepts:

  • Correlation scenarios
  • Event tracking tables


Objective

YouTube access is restricted to 5 minutes. Afterwards, YouTube is blocked for an hour. 

To implement this, you need to set up a correlation scenario with two event tracking tables and a dedicated rule set.


Creating the Correlation Scenario

First, set up the correlation scenario that will contain the rules and event tracking tables.

  1. Navigate to Policy > Advanced Correlation.
  2. Click ADD.
  3. Enter a Name and an optional Note.
  4. Click SAVE.


Creating the Event Tracking Tables

In the correlation scenario, create two event tracking tables. One stores users for 5 minutes, the other stores users for one hour. This way, two lists with YouTube users are created.

We use event tracking tables to track the users. Since we only want to track the primary attribute, i.e. theUser, we select None as secondary attribute. This is important as Threat Defender would compare the attribute pairs if a secondary attribute was selected. In that case, the rules would not match.


The following table shows the required settings of the event tracking tables:


NameRetention TimePrimary Attribute TypeMax. Number of PrimaryAttributesSecondary Attribute TypeMax. No. of Secondary Attributes per PrimaryOne
1 hour users3600User100None1
5 min users300User100None1


Note: Under Maximum Number of Primary Attributes, make sure that both tables are large enough to fit the number of users in your network.


Creating the Rule Set

Set up a rule set of five rules in the correlation scenario:

  • Rule 1 allows all traffic except YouTube.
  • Rule 2 allows YouTube access for users on the five minutes list.
  • Rule 3 rejects YouTube access for users on the one hour list.
  • Rule 4 adds users to the five minutes list who started a new YouTube connection.
  • Rule 5 adds users generating YouTube traffic to the one hour list.

The following table shows the required rule settings:

RuleSourceDesti-nationConditionActions
1AnyAnyClassification
Excluded Applications/ Protocols: YouTube
Final Action: Allow Traffic and Skip to Next Scenario
2AnyAnyClassification
Excluded Applications/ Protocols: YouTube
Advanced Correlation Condition:
Event in Event Tracking Table
Event Tracking Table: 5 min users
Final Action: Allow Traffic and Skip to Next Scenario
3AnyAnyClassification
Excluded Applications/ Protocols: YouTube
Advanced Correlation Condition:
Event in Event Tracking Table
Event Tracking Table: 1 hour users
Final Action: Reject Traffic and Stop Processing
4AnyAnyClassification
Excluded Applications/ Protocols: YouTube
Add to Event Tracking Table
Event Tracking Table: 5 min users
Primary Attribute: User
Secondary Attribute: None
5AnyAnyClassification
Excluded Applications/ Protocols: YouTube
Add to Event Tracking Table
Event Tracking Table: 1 hour users
Primary Attribute: User
Secondary Attribute: None


Click the APPLY CHANGES to activate your configuration changes.


Result

The system processes the specified rule set in a top-down approach:

  1. The system allows all traffic but YouTube.
  2. For YouTube traffic, the system checks if the requesting user is in any of the event tracking tables:
  • If the user is on the 5 min users list, Threat Defender allows YouTube access and skips to the next correlation scenario.
  • If the user is not on the 5 min users list but on the 1 hour users list, Threat Defender rejects YouTube access and skips to the next correlation scenario.
  • If the user is on none of the two lists, Threat Defender adds the user to both event tracking tables.